1. Field of the Invention
The present invention relates to telecommunication systems, and more specifically to a method and apparatus for providing secure access from a user location to target systems with a easy to use user interface.
2. Related Art
Users at locations such as homes (hereafter xe2x80x9cuser locationsxe2x80x9d in general) often access target systems. In a typical scenario, a user uses a user system (e.g., computer system) at a user location to access a target computer system (xe2x80x9ctarget systemxe2x80x9d) of the user""s employer. Target computer systems are typically accessed by several users. Places where the target computer systems are located may be referred to as target locations. Other examples of target locations include internet service providers (ISPs) and content providers such as Disney.
Communication between a user system and a target system is typically implemented on a virtual circuit provided on a telecommunication network. The telecommunication network may be implemented using media such as local loops, cable, and wireless technology. An example telecommunication network providing high speed remote access on local loops is described in RELATED APPLICATION noted above.
Telecommunication networks are commonly capable of supporting multiple virtual circuits from user systems. The virtual circuits can connect user systems at a user location to target systems at different target locations. For example, one virtual circuit may connect user systems to a target location related to an employer of the user, and another virtual circuit may connect user systems to a location related to an internet service provider (ISP) (xe2x80x9cISP Locationxe2x80x9d).
The possibility of multiple virtual circuits from a user location is often a concern for owners or operators of the target systems. In the example of the preceding paragraph, the user""s employer may be concerned about potential unauthorized access of employer""s target systems by an unknown person through the ISP location. That is, an employer may be concerned that a user location may provide the necessary connectivity between systems of such unknown persons and the target systems related to the employer. The possibility of unauthorized access is therefore undesirable in several situations.
Accordingly, what is required is a method and apparatus for providing secure access from a user location to desired target systems.
The present invention enables a service provider to provide secure access from a user system at a user location to target systems at a target location on a telecommunication network capable of connecting the user to multiple target locations simultaneously. A target location with the need for such secure access is referred to as a secure location. Secure access is provided by disabling connectivity to any other target locations from the user location when the user location is provided connectivity to the secure location. As connectivity is disabled to other target locations (such as ISPs), the target systems at the secure location may not be exposed to the risk of unauthorized access.
In a typical scenario, a customer premises equipment (CPE) is provided at a user location. A virtual connection is provided from the CPE to each of several target locations the user at user location may wish to access. However, when secure access is to be provided, data transfer on all the virtual connections other than the connection to the secure location may be disabled, thereby providing secure access to the desired target location. The virtual circuits may be implemented as permanent virtual circuits (PVCs).
Some example implementations on a telecommunication network facilitating the secure connection are described first. In one example implementation, a PVC is configured on the network between a CPE at a user location and each remote target a user at a user location may wish to connect. However, the CPE is designed such that only the PVC to the secure location can transfer data when the user communicates with the secure location.
In an alternative implementation, only a single PVC may be provided to the CPE at a user location. However, the PVC may be used to connect to any one of several target locations as the user requests. When the user requests a connection, a session is established with an authentication system through a gateway. The authentication system may be implemented with several user identifiers, with each user identifier corresponding to one target location. Thus, the user may be requested to enter a user identifier and a corresponding password, and upon proper authentication, a session is established to a target location corresponding to the user identifier. The sessions to the authentication server and the target location may be implemented, for example, using point-to-point protocols (PPP) well known in the relevant arts.
The manner in which a user may request connection to the secure target location is described now. In one embodiment, a physical switch may be provided on the CPE to enable the user to indicate which target location the CPE is to be connected. When the user indicates the target location by the operation of the physical switch, the CPE provides connectivity to only the indicated target location. For example, in the multiple PVC based approach noted above, the CPE may be designed to transfer data only on the PVC corresponding to the secure location if the user selects connection to the secure location.
Alternative, a profile may be provided for each position of the switch, with each profile providing configuration data for the CPE. Thus, when a user selects a particular position, the CPE may operate from the profile corresponding to that position. The profile corresponding the secure location may disable connections to other target locations. In another variation, the user may select a profile using an appropriate user interface provided, for example, from an end system. When the CPE is made to operate from the selected profile, for example, by rebooting the CPE, the CPE may operate from the selected profile.
It should be understood that the selection mechanisms and implementation of virtual circuits on the telecommunication network(s) noted above are merely examples. Also, different combinations of selection mechanisms, CPE configuration mechanisms, and provisioning of virtual circuits on the shared network can be used without departing from the scope an spirit of the present invention.
Thus, the present invention provides a method and system for providing secure access from a user location to a desired target location (xe2x80x9csecure locationxe2x80x9d) by disabling connectivity to any other target locations when the user location is provided connectivity to the secure location.
The present invention provides a simple interface for a user to select a desired target location for secure access by providing mechanisms such as a physical switch which can be operated to select the desired target location, and a user interface from a user system to configure the CPE.
The present invention provides a secure method for providing remote access as only a single PVC may be provided from a user location in one implementation, and the user location may not be able to access target locations other than a secure location when accessing the secure location.
The present invention is particularly suited for companies such as incumbent local exchange carriers (ILECs), competitive local exchange carriers (CLECs), and other companies providing high bandwidth connections between homes and employers as the employers may be concerned about risk of unauthorized access which may be present without the operation of the present invention.
Further features and advantages of the invention, as well as the structure and operation of various embodiments of the invention, are described in detail below with reference to the accompanying drawings. In the drawings, like reference numbers generally indicate identical, functionally similar, and/or structurally similar elements. The drawing in which an element first appears is indicated by the leftmost digit(s) in the corresponding reference number.